Jack Moore | April 17, 2015 6:53 pm
More than 5 million federal employees, military service members and contractors currently hold security clearances.
Clearance seekers must go through a thorough vetting — including having their backgrounds pored over by investigators and agency officials — before ultimately receiving a security clearance.
But once that access is granted, there aren’t many ways for the government to track whether a once-trusted insider — with access to sensitive government information and facilities — has become an insider threat.
Clearance-holders are reinvestigated periodically over the years. But even those with access to the most secret government data are only reinvestigated every five years. Meanwhile, new questions have been raised about the government’s ability to keep tabs on cleared employees following incidents such as the National Security Agency leaks and the Navy Yard shooting.
Understand progress being made in the evolving cyber scorecard. Download our free Expert Edition: Cyber Exposure in DoD.
As part of the special series Trust Redefined: Reconnecting Government and Its Employees, Federal News Radio examines the government’s plan to use new technology to keep tabs on cleared personnel in real-time. Some experts wonder, however, whether such a plan could be implemented successfully within the swift timelines sought by the government.
Lag-time between reinvestigations
The number of federal employees and contractors cleared for access to classified information continues to grow. Last year, the number of cleared personnel ticked up to more than 5 million, according to a report from the Office of the Director of National Intelligence.
But even as the cleared population grows, the government’s policies for keeping tabs on cleared personnel don’t appear to be keeping up.
Once investigated and approved by their agency, top-secret clearance holders — those with access to the most sensitive government data — are only reinvestigated every five years. Secret-level clearance holders are reinvestigated every 10 years, while confidential clearance holders are reviewed every 15 years.
The lag between periodic reinvestigations “is something to be concerned about because that’s your insider threat,” said Brenda Farrell, director of Defense Capabilities and Management at the Government Accountability Office.
Employees are directed to self-report issues that arise in the meantime, although experts say many employees do not and there appears to be few official sanctions for not doing so.
An independent report commissioned by the Pentagon in the aftermath of the Navy Yard shooting, conceded that the department “gains little to no insight into its cleared workforce” between periodic reinvestigations.
Further, because of the budget squeeze across government, even wider gaps have opened up.
Last year, faced with across-the-board sequestration cuts, many agencies reported that they had temporarily stopped requesting periodic reinvestigations of their cleared personnel, Farrell said.
A “significant backlog of overdue periodic investigations,” has since piled up, according to a recent report on security- clearance reform efforts published by the Office of Management and Budget. As of March, about 22 percent of top-secret clearance holders were past the five-year due date, and their agency had yet to even request a follow-up investigation.
Is continuous evaluation the solution?
Those concerns have led the Defense Department — whose employees make up the lion’s share of cleared-employees — to begin pushing for a new approach to tracking the millions of employees in sensitive government positions: continuous evaluation (CE).
In addition to occasional, one-time snapshots of a person’s fitness for a security clearance, the new system — when fully deployed — would be able to track potential warning signs in an employee’s life and career “that may have them evolve from a trusted insider to an insider threat,” said Principal Deputy Undersecretary of Defense for Intelligence Marcel Lettre in a Pentagon news briefing in March.
The new system would augment the current practice of periodic reinvestigations by regularly pulling in automated data checks from a variety of sources — credit checks, personnel files, even an employee’s social media account — to identify potential issues in near real-time.
There are already a few CE pilots underway within DoD.
ACES, short for Automatic Continuous Evaluation System, is able to pull data from some 40 different government and commercial data sources. It’s been under development by the Defense Personnel and Security Research Center (PERSEREC) since at least 2005.
When Army officials used ACES to screen a sample of about 3,370 Army service members, civilians and contractors, it turned up previously unreported “derogatory information” on more than 21 percent of those surveyed. Another 3 percent had “serious” information turn up — financial issues, domestic violence or drug abuse — which ultimately resulted in having their clearances revoked or suspended.
The Pentagon, according to a March 2014 report, also envisions a new insider-threat office within DoD that would be responsible for overseeing the continuous-evaluation platform. The new office would be staffed 24 hours and would serve, according to department plans, as a “one-stop shop” to run the system, analyze the incoming information and notify appropriate security officials.
Implementation ‘not a simple thing to do’
However, there are some big unanswered questions about the feasibility of a broader rollout of the system.
In a 2005 hearing shortly after the Defense research agency first studied continuous evaluation, DoD officials testified that the system could be implemented in a year, Farrell said.
In retrospect, that now seems overly optimistic.
Continuous evaluation “sounds like a clean approach,” Farrell said. “But it has a lot of inner workings … the leadership has got to stay involved and stay on top of it to make sure that it’s implemented.”
In a speech before a crowd of government contractors last month, Beth Cobert, the Office of Management and Budget’s deputy director for management, acknowledged the challenges.
“The concept is the right one,” she said. “The implementation needs to be done in a precise way. And we need to be able to scale it effectively. And that’s not a simple thing to do.”
In her role at OMB, Cobert been tasked with leading security-clearance reform efforts governmentwide.
System won’t be continuous — at first
As the government begins initial implementation, however, not all clearance- holders will be reviewed by the new system nor will it be continuously running or updating.
The Obama administration has called on the Office of the Director of National Intelligence to expand the initial continuous-evaluation capabilities developed by DoD to 100,000 of the “most sensitive” top-secret clearance holders across government by this September. The administration aims to continue expanding coverage over the next few years until it reaches all 1 million top-secret clearance holders. But that’s not scheduled to happen until 2017.
It’s unclear when the system could be implemented for all 5 million clearance holders.
Also as it stands now, the DoD system, ACES, is an on-demand tool only and “does not have the ability to gather and present new information continuously and in real-time,” according to the Pentagon’s report.
So, at least at first, DoD is only planning to run checks on the new system on an annual basis.
“You’re not down to continuous, you’re at periodic,” said Bill Henderson, who spent two decades conducting background investigations for both DoD and OPM before starting the Federal Clearance Assistance Service.
Since the government will only run the checks about once a year, another weakness, according to Henderson, is a continued reliance on self-reporting in the interim.
The problem is that clearance holders typically under-report issues, he said.
“There’s a big disconnect there between what’s really going on and what’s getting reported, Henderson said.
He cited figures he’s seen indicating only about 8,000 top-secret clearance holders — out of a total 1 million — typically file incident reports in a given year.
However, the perception that government is keeping closer watch may prod clearance holders to self-report, he added.
“If they put out that information to the clearance-holding population that, ‘We are going to check on you once a year,’ and they don’t know when that check is going to occur, then it provides a lot of impetus to self-report rather than to get caught,” Henderson said.
Many details remain to be worked out
The sheer size of the cleared population poses challenges, said Evan Lesser, co- founder and managing director of ClearanceJobs.com, an online clearinghouse for news and information about the security-clearance industry. If even half of all clearance holders — confidential, secret and top-secret — were eventually required to be continuously evaluated, “that’s a huge undertaking,” he said.
And many of the details still need to be worked out.
“Nobody has come up with an understanding about which information, exactly, would be monitored, how does it get done from a technical standpoint and then who reviews the monitored information and makes decisions from it?” he said.
The proposal is also an expensive project at a time when Congress is looking to tighten the federal purse strings.
“This kind of thing can’t be implemented without a whole lot of funding and a whole lot of manpower behind it,” Lesser said.
Over the course of several weeks, Federal News Radio has been investigating the security clearance process in the federal government. View more articles from our special report, Questioning Clearances: